connectors and email routing in office 365
TRANSCRIPT
Carolyn LiuProgram ManagerMicrosoft
Connectors and email routing in Office 365
SPR401
AgendaBasics Mail routing scenariosConnector configuration options Avoid common mistakesQ&A
Connector basicsWhat are connectorsWhy are connectors needed
Mail routing and customer type• Exchange Online (EXO)• Fully hosted – all mailboxes are in the cloud• Hybrid – some mailboxes are in the cloud, some are in on-premise
• Exchange Online Protection (EOP)• All mailboxes are hosted in on-premise, use EOP for protection only
Customer type determines mail flow and configuration
What are inbound/outbound connectors
c. Inbound connector of type Partner
Internet
On-premises
Partner
a bc
d
a. Inbound connector of type OnPremisesb. Outbound connector of type OnPremises
d. Outbound connector of type Partner
What are inbound/outbound connectors
Connector Type
Mailflow Direction
Inbound connector: mails enter O365 Outbound connector : mails leave O365
OnPremises Configure and enforce mailflow originating from on-premises servers
Configure and enforce outbound routing for mails leaving O365 service to on-premises servers.
Smart host must be used for outbound connector of
type OnPremises.
Partner Configure and enforce mailflow incoming from partner servers
(for e.g. partnerbank.com), or from a 3rd party service vendor (for e.g.
MessageLabs.com).
Configure and enforce outbound routing for mails leaving O365 service to a partner (for e.g.
partnerbank.com), or to a 3rd party service vendor (for e.g. MessageLabs.com).
Use MX based routing or smart host in the
connector.
7
8
Tenant’s mail
Why connectors are neededOffice 365 only accept mails for customers Need to:• Use inbound connector to identify
customers • Use inbound connector to enforce
customized email routing
• Use outbound connector to relay email to your on-premise servers
• Use outbound connector to deliver emails to your partners based on your business requirement
Not tenant’s mail
emailstore Spam/
virus
Connector and mail routing end to end scenarios
When connectors are neededWhat connectors are needed
Fully hosted
Scenarios1. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected]
[email protected]@fabrikam.com
4 Inbound connector
of type Partner
1 Outbound connector of type partner
3
2
No connectorneeded No
connectorneeded
Protection only – MX points to EOP
1. [email protected] [email protected]
3.1
Inbound connector of type
OnPremises2.2
Outbound connector of type OnPremises
2.11.2
No connectorneeded MX based
No connector needed MX based
4.2
1.1
4.1
Outbound connector of type
partner
3.2
Inbound connector of type partner
2. [email protected] [email protected]
Scenarios
Hybrid – MX points to EOP
Scenarios1. [email protected] [email protected]. [email protected] [email protected]
3.1
Inbound connector of type
OnPremises2.2
Outbound connector of type OnPremises
2.11.2
No connectorneeded MX based No
connector needed MX based
4.2
1.1
4.1
Outbound connector of type
partner
3.2
Inbound connector of type partner
109
65
7.1 87.2
3. [email protected] [email protected]
5. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]
Hybrid – MX points to on-premise
Scenarios1. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]
4.2 Inbound connector of type OnPremises
4.3 Outbound connector of type OnPremises
2.1
1.2
No connectorneeded MX based
2.3
3.1
Outbound connector of type
partner3.2
Inbound connector of type Partner
10.1
9
6
10.25
7
MX points to on-premise
2.21.1
4.1
Hybrid – MX points to EOP, CMT enabled
Scenarios1. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected]
[email protected]. [email protected]
[email protected]. [email protected] [email protected]
9.2 Inbound connector of type OnPremises
11.2 Outbound connector of type OnPremises
1.2
No connectorneeded MX based
3.1
Outbound connector of type
Partner8.3
Inbound connector of type Partner
9.3
6
57.1
7.2
8.21.1
2.1No connector needed MX based
10.1 2.2
4.28.1
9.110.2
10.311.3
11.1
3.2
8. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]
Hybrid – MX points to service provider
Scenarios1. [email protected] [email protected]
Inbound connector of type OnPremises
No connectorneeded MX based 3.1
Outbound connector of type Partner
4.19
11.2 57.1
11.1
1.2
9.1
4.3
4.2
2.3
3.2
2.1
Outbound of type OnPremises2.2
6
Inbound connector of type Partner
2. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected] 11. [email protected] [email protected]
8
10.1
10.2
Recap• Who needs to create connectors• Fully hosted customers• No connector of type OnPremises is needed• May create connector of type Partner to meet your business
requirement
• Exchange Online Protection customers• Must have inbound and outbound connector of type OnPremises• May create connector of type Partner to meet your business
requirement
• Hybrid customers• Must have inbound and outbound connector of type OnPremises• May create connector of type Partner to meet your business
requirement• Use Hybrid Configuration Wizard (HCW) whenever possible
Connector configuration options
Where and how to create connectors• Office 365 tenant admin portal• https://login.microsoftonline.com/ • Under Exchange Admin -> mail flow -> connectors
• Use “Remote Powershell” cmdlets• New-InboundConnector/Set-InboundConnector/Get-InboundConnector• New-OutboundConnector/Set-OutboundConnector/Get-
OutboundConnector
• Best practice• Always test mail flow after you complete connector
creation/modification• Option: use a subdomain from one of the accepted domains to test
mailflow• Option: test outbound connector with the “Remote Connectivity
Analyzer”
Connector configuration options • Inbound of type OnPremises
1. Certificate or IP address to identify mailflow from on-premise environment for your organization
2. Enforce mutual authenticated TLS connection3. Preserve headers for Exchange organization for Hybrid scenario
• Inbound of type Partner1. Sender domain to identify mails from partner2. Enforce emails coming from certain IP addresses for a certain partner3. Enforce encryption only TLS, or mutual authenticated TLS connection
Connector configuration options• Outbound of type OnPremises
1. Smart host to relay mails to your on-premise SMTP servers2. Used by “Conditional Mail Routing”3. Recipients’ domains this connector applies to4. Enforce encryption only TLS, or mutual authenticated TLS connection5. Enable centralized transport routing for Hybrid customers (only
through HCW)6. Preserve headers for Exchange organization for Hybrid scenario
• Outbound of type Partner1. Option to use MX, or smart host to route mails2. Smart host should use to relay mails to your partner’s SMTP servers3. Recipients’ domains this connector applies to4. Enforce encryption only TLS, or mutual authenticated TLS connection5. Used by “Conditional Mail Routing”
Clarification for TLS options • Office 365 supports:
• Encryption only (use server certificate)• Client/server mutual authenticated TLS
• Messages enter into Office 365/EOP• Client: on-premise server or partner server• Server: O365/EOP service• Certificate domain name on connector: it is client’s certificate domain
name
• Messages leave from Office 365/EOP• Client : O365/EOP service• Server : on-premise server or partner server• Certificate domain name on connector: it is server’s certificate domain
name
Use smart host for outbound routing • Available options
• Allow IP addresses as well as FQDN• Allow multiple smart host entries
• Service behavior• Use round robin method to connect to a smart host when there are
multiple entries• Use MX record preference value if smart host is FQDN • Try all of the smart hosts until one succeeds to connect • Retry every 15 min if service failed to connect to any of the smart host
on the connector
Hybrid – MX points to service provider
Scenarios1. [email protected] [email protected]
Inbound connector of type OnPremises
No connectorneeded MX based 3.1
Outbound connector of type Partner
4.19
11.2 57.1
11.1
1.2
9.1
4.3
4.2
2.3
3.2
2.1
Outbound of type OnPremises2.2
6
Inbound connector of type Partner
2. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected] 11. [email protected] [email protected]
8
10.1
10.2
• Supported scenarios• Internet -> 3rd party service -> O365 (hosted mailboxes)• Internet -> 3rd party service -> O365 -> on-premise• On-premise -> O365 ->3rd party->internet
• Not supported scenarios• On-premise -> 3rd party service-> O365->internet
• Best practice• Internet -> 3rd party service -> O365/On-premise • No connector is required, or create connector of type Partner• Never create inbound connector of type OnPremises
Use 3rd party service provider
Use conditional mail routing (criteria based routing)• Based on conditions in “Exchange Transport
Rules” (ETR) • A connector used by ETR cannot be used by
regular recipient based connector, vise versa• Best practice• Use this if you want to enforce TLS only for certain recipients• Use this when you need to route mails to different location based on
users
• InternalRelay• Not all mailboxes are hosted in Exchange Online• Requires outbound connector of type OnPremises
• Authoritative• User’s mailbox or MailUser exists in Exchange Online• For non-existent mailbox or MailUser, mail will be rejected• Requires outbound connector of type OnPremises to relay to your on-
premise server, if MailUsers exist for the domain
AcceptedDomain type and connectors
Avoid common mistakes
Avoid common mistakes – Part 11. All EOP and Hybrid customers must have inbound and outbound connector of
type OnPremises
2. Test connector using “Remote Connectivity Analyzer”
3. Do NOT create inbound connector of type OnPremises when using 3rd party service provider. Create Partner connector or do not create connector at all.
4. Do not use AssociatedAcceptedDomain unless you need to apply connector only for certain accepted domains
5. Be very careful when using IP restriction in inbound connector, it will reject mail when connection IP address does not match
6. InternalRelay domain requires outbound connector
Avoid common mistakes – Part 2 7. When using “Centralized Mail Transport”(a.k.a. CMC)
• Must have inbound connector of type OnPremises• Cannot have AssociatedAcceptedDomain set in inbound connector of OnPremises
8. Do not use * in RecipientDomains for outbound connector of type OnPremises, unless Centralized Mail Transport is enabled.
9. Make sure smart host in outbound connector is correctly configured
Note: Most of the above are already enforced in service configuration
Q & A
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Appendix
Send connectors in on-premise• Need to configure a send connector for
O365/EOP, use Smarthost based on your organization’s domain MX, in the form of contoso-com.protection.outlook.com
• HCW will do this for you for hybrid
Receive connectors in on-premise• EOP published outbound IP address is here. • You can enforce receive connector to only
accept mails from those IP addresses.
Use centralized mail transport • Mails sent from or to cloud mailboxes will
be routed to your organization’s on-premise SMTP server first
• Requires both inbound and outbound connector of type OnPremises
• Best Practice• Use Hybrid Configuration Wizard
Hosted – MX points to service provider
Scenarios
No connectorneeded MX based
Outbound connector of type Partner
2
4.2 4.1
Inbound connector of type Partner
1. [email protected] [email protected]. [email protected] [email protected]. [email protected] [email protected] 4. [email protected] [email protected]
1
3.1
3.2